@refrakt-md/planhub

CLI plugin for Plan Hub. Loaded by @refrakt-md/cli via its plugin system — once installed alongside the CLI, refrakt planhub <command> resolves automatically.

Install

npm install -D @refrakt-md/cli @refrakt-md/planhub

Commands

refrakt planhub login [--server <url>] [--verbose]

Authenticate with Plan Hub using GitHub's OAuth device flow. Prints a short user code and a verification URL; you open the URL in a browser, enter the code, and the CLI polls until GitHub returns a token. That token is exchanged for a Plan Hub session token and stored locally.

The Plan Hub session token is what's used on subsequent requests — the GitHub token itself is not retained on disk.

refrakt planhub logout [--server <url>]

Remove the stored session token for the given server (or the resolved default server if no flag is passed).

Server selection

The CLI resolves the target server in this order:

1. --server <url> flag
2. PLAN_HUB_SERVER env var
3. Built-in default: https://plan.refrakt.md

QA is https://qa.plan.refrakt.md. Local dev against apps/plan-hub works with --server http://localhost:5173.

Token storage

Tokens are written to a single JSON file keyed by normalised server URL, so you can hold valid tokens against prod, qa, and localhost simultaneously without re-authenticating on every switch.

• POSIX: $XDG_CONFIG_HOME/refrakt/plan-hub-tokens.json (fallback ~/.config/refrakt/plan-hub-tokens.json), parent dir 0700, file 0600.
• Windows: %APPDATA%\refrakt\plan-hub-tokens.json with default NTFS ACLs. This is a known gap — on a shared machine the file is readable by other local users. Hardening (Windows Credential Manager or icacls) is tracked in WORK-045.

PLAN_HUB_TOKEN env var, when set, takes precedence over the on-disk file for the resolved server — useful in CI and scripted contexts.